calcite: add ssh-tpm-agent
This commit is contained in:
parent
26a11e0df0
commit
aa230d639f
10 changed files with 136 additions and 29 deletions
48
flake.lock
48
flake.lock
|
@ -84,11 +84,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1709204054,
|
||||
"narHash": "sha256-U1idK0JHs1XOfSI1APYuXi4AEADf+B+ZU4Wifc0pBHk=",
|
||||
"lastModified": 1709764752,
|
||||
"narHash": "sha256-+lM4J4JoJeiN8V+3WSWndPHj1pJ9Jc1UMikGbXLqCTk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "2f3367769a93b226c467551315e9e270c3f78b15",
|
||||
"rev": "cf111d1a849ddfc38e9155be029519b0e2329615",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -104,11 +104,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1708830466,
|
||||
"narHash": "sha256-nGKe3Y1/jkLR2eh1aRSVBtKadMBNv8kOnB52UXqRy6A=",
|
||||
"lastModified": 1709708644,
|
||||
"narHash": "sha256-XAFOkZ6yexsqeJrCXWoHxopq0i+7ZqbwATXomMnGmr4=",
|
||||
"owner": "Mic92",
|
||||
"repo": "nix-index-database",
|
||||
"rev": "f070c7eeec3bde8c8c8baa9c02b6d3d5e114d73b",
|
||||
"rev": "94a1e46434736a40f976a454f8bd3ea2144f349b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -128,11 +128,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1709341970,
|
||||
"narHash": "sha256-r/Xwhz4ESWGztKRBcLqi76zDZv1HeSgXEdkyOPWkluY=",
|
||||
"lastModified": 1709773506,
|
||||
"narHash": "sha256-RK9D2rbN7usqlxogWSBA0EsKDScSF/Uyb8ATntC4juA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-vscode-extensions",
|
||||
"rev": "75224309c1a5378bbee401360dbcc5e8865895e4",
|
||||
"rev": "a17ea69caec11561e73c985360fb596c25f74131",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -166,11 +166,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1709147990,
|
||||
"narHash": "sha256-vpXMWoaCtMYJ7lisJedCRhQG9BSsInEyZnnG5GfY9tQ=",
|
||||
"lastModified": 1709410583,
|
||||
"narHash": "sha256-esOSUoQ7mblwcsSea0K17McZuwAIjoS6dq/4b83+lvw=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "33a97b5814d36ddd65ad678ad07ce43b1a67f159",
|
||||
"rev": "59e37017b9ed31dee303dbbd4531c594df95cfbc",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -182,11 +182,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1709237383,
|
||||
"narHash": "sha256-cy6ArO4k5qTx+l5o+0mL9f5fa86tYUX3ozE1S+Txlds=",
|
||||
"lastModified": 1709479366,
|
||||
"narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1536926ef5621b09bba54035ae2bb6d806d72ac8",
|
||||
"rev": "b8697e57f10292a6165a20f03d2f42920dfaf973",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -214,11 +214,11 @@
|
|||
},
|
||||
"nixpkgs-stable_2": {
|
||||
"locked": {
|
||||
"lastModified": 1708819810,
|
||||
"narHash": "sha256-1KosU+ZFXf31GPeCBNxobZWMgHsSOJcrSFA6F2jhzdE=",
|
||||
"lastModified": 1709428628,
|
||||
"narHash": "sha256-//ZCCnpVai/ShtO2vPjh3AWgo8riXCaret6V9s7Hew4=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "89a2a12e6c8c6a56c72eb3589982c8e2f89c70ea",
|
||||
"rev": "66d65cb00b82ffa04ee03347595aa20e41fe3555",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -230,11 +230,11 @@
|
|||
},
|
||||
"nur": {
|
||||
"locked": {
|
||||
"lastModified": 1709348332,
|
||||
"narHash": "sha256-63SZlPordsga65TlNcZbLPUZU4MLGqj/jn3XFuVTE+4=",
|
||||
"lastModified": 1709780742,
|
||||
"narHash": "sha256-mJXQZLSI/zgQ98nHMSdmJ0l0YL3n38FWsdE9OiKPcWk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "NUR",
|
||||
"rev": "5b634d8100c7e7d3ac195e393ea5c14fb6e90db3",
|
||||
"rev": "3428e6cf4521df6254ff5b8bcf31df84fc1dd0d2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -266,11 +266,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1708987867,
|
||||
"narHash": "sha256-k2lDaDWNTU5sBVHanYzjDKVDmk29RHIgdbbXu5sdzBA=",
|
||||
"lastModified": 1709711091,
|
||||
"narHash": "sha256-L0rSIU9IguTG4YqSj4B/02SyTEz55ACq5t8gXpzteYc=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "a1c8de14f60924fafe13aea66b46157f0150f4cf",
|
||||
"rev": "25dd60fdd08fcacee2567a26ba6b91fe098941dc",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -169,6 +169,7 @@
|
|||
nixos-hardware.nixosModules.asus-zephyrus-ga401
|
||||
machines/calcite/configuration.nix
|
||||
(mkHome "xin" "calcite")
|
||||
(./overlays)
|
||||
];
|
||||
};
|
||||
raspite = mkNixos {
|
||||
|
@ -199,7 +200,7 @@
|
|||
{
|
||||
devShells = {
|
||||
default = pkgs.mkShell {
|
||||
packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp ];
|
||||
packages = with pkgs; [ git colmena sops nix-output-monitor rnix-lsp nvd ];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
|
@ -22,9 +22,16 @@
|
|||
enable = true;
|
||||
# expose /run/current-system/sw/lib/libtpm2_pkcs11.so
|
||||
pkcs11.enable = true;
|
||||
# TODO: Need this until fapi-config is fixed in NixOS
|
||||
pkcs11.package = pkgs.tpm2-pkcs11.override { fapiSupport = false; };
|
||||
# TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
|
||||
tctiEnvironment.enable = true;
|
||||
};
|
||||
services.gnome.gnome-keyring.enable = lib.mkForce false;
|
||||
security.pam.services.login.enableGnomeKeyring = lib.mkForce false;
|
||||
services.ssh-tpm-agent.enable = true;
|
||||
|
||||
programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so";
|
||||
|
||||
networking.hostName = "calcite";
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ in
|
|||
enable = mkEnableOption "Git ssh signing";
|
||||
keyFile = mkOption {
|
||||
type = types.str;
|
||||
default = "~/.ssh/id_ed25519_sk";
|
||||
default = "~/.ssh/id.pub";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -44,13 +44,14 @@ in
|
|||
scala-lang.scala
|
||||
scalameta.metals
|
||||
|
||||
(ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; }))
|
||||
twxs.cmake
|
||||
|
||||
sterben.fpga-support
|
||||
|
||||
ms-vscode-remote.remote-ssh-edit
|
||||
mushan.vscode-paste-image
|
||||
]) ++ (with pkgs.vscode-extensions; [
|
||||
ms-vscode.cmake-tools
|
||||
twxs.cmake
|
||||
waderyan.gitblame
|
||||
catppuccin.catppuccin-vsc
|
||||
# Rust
|
||||
|
|
|
@ -7,5 +7,6 @@
|
|||
./hedgedoc.nix
|
||||
./sing-box.nix
|
||||
./kanidm-client.nix
|
||||
./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge
|
||||
];
|
||||
}
|
||||
|
|
48
modules/nixos/ssh-tpm-agent.nix
Normal file
48
modules/nixos/ssh-tpm-agent.nix
Normal file
|
@ -0,0 +1,48 @@
|
|||
# Temporary workaround
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.ssh-tpm-agent;
|
||||
in
|
||||
{
|
||||
options = {
|
||||
services.ssh-tpm-agent.enable = lib.mkEnableOption "TPM supported ssh agent in go";
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.user.services.ssh-tpm-agent = {
|
||||
enable = true;
|
||||
unitConfig = {
|
||||
Description = "SSH TPM agent service";
|
||||
Documentation = "man:ssh-agent(1) man:ssh-add(1) man:ssh(1)";
|
||||
Requires = "ssh-tpm-agent.socket";
|
||||
ConditionEnvironment = "!SSH_AGENT_PID";
|
||||
};
|
||||
serviceConfig = {
|
||||
Environment = "SSH_AUTH_SOCK=%t/ssh-tpm-agent.socket";
|
||||
ExecStart = "${pkgs.ssh-tpm-agent}/bin/ssh-tpm-agent";
|
||||
PassEnvironment = "SSH_AGENT_PID";
|
||||
SuccessExitStatus = 2;
|
||||
Type = "simple";
|
||||
};
|
||||
wants = [ "ssh-tpm-agent.socket" ];
|
||||
};
|
||||
|
||||
systemd.user.sockets.ssh-tpm-agent = {
|
||||
enable = true;
|
||||
description = "SSH TPM agent socket";
|
||||
socketConfig = {
|
||||
ListenStream = "%t/ssh-tpm-agent.sock";
|
||||
SocketMode = "0600";
|
||||
Service = "ssh-tpm-agent.service";
|
||||
};
|
||||
|
||||
wantedBy = [ "sockets.target" ];
|
||||
};
|
||||
|
||||
environment = {
|
||||
systemPackages = [ pkgs.ssh-tpm-agent ];
|
||||
extraInit = ''
|
||||
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-tpm-agent.sock"
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
10
overlays/add-pkgs.nix
Normal file
10
overlays/add-pkgs.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
nixpkgs.overlays = [
|
||||
(self: super: {
|
||||
ssh-tpm-agent =
|
||||
pkgs.callPackage ./pkgs/ssh-tpm-agent.nix { };
|
||||
})
|
||||
];
|
||||
}
|
6
overlays/default.nix
Normal file
6
overlays/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
imports = [
|
||||
./add-pkgs.nix
|
||||
];
|
||||
}
|
33
overlays/pkgs/ssh-tpm-agent.nix
Normal file
33
overlays/pkgs/ssh-tpm-agent.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{ lib
|
||||
, buildGo122Module
|
||||
, fetchFromGitHub
|
||||
, openssl
|
||||
}:
|
||||
|
||||
buildGo122Module rec {
|
||||
pname = "ssh-tpm-agent";
|
||||
version = "0.3.1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "Foxboron";
|
||||
repo = "ssh-tpm-agent";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-8CGSiCOcns4cWkYWqibs6hAFRipYabKPCpkhxF4OE8w=";
|
||||
};
|
||||
|
||||
proxyVendor = true;
|
||||
|
||||
vendorHash = "sha256-zUAIesBeuh1zlxXcjKSNmMawZGgUr9z3NzT0XKn/YCQ=";
|
||||
|
||||
buildInputs = [
|
||||
openssl
|
||||
];
|
||||
|
||||
meta = with lib; {
|
||||
description = "SSH agent with support for TPM sealed keys for public key authentication";
|
||||
homepage = "https://github.com/Foxboron/ssh-agent-tpm";
|
||||
license = licenses.mit;
|
||||
platforms = platforms.linux;
|
||||
maintainers = with maintainers; [ sgo ];
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue